For many businesses, it’s no longer a question of whether to adopt the cloud, but rather how to deliver cloud solutions securely. Many organisations recognise the need to make security central to their strategic business goals, but how?
In this blog, I’ll unravel the security implications of multi cloud and share practical insights on tackling the complexities, such as achieving organisational alignment and understanding security across multiple clouds.
Forget ‘lift and shift’
The consensus is that traditional non-cloud security approaches won’t necessarily protect organisations using the cloud. And if you do end up ‘lifting and shifting’ procedures once workflows move to the cloud, expect gaps in coverage and an ability to operate securely. Such procedures struggle to deal with the agility and speed that cloud offers. Security must adapt and become equally flexible to shed the perception of being ‘a necessary evil,’ or ‘something we must do’.
Many see security as enabling business, not stopping progress. By taking away the risk to data and workflows moving across multiple cloud services, innovation is possible without taking chances on governance. This protects reputations and supports revenues in the long term.
Avoid business strategy and security strategy mismatches
An extension of the restrictive ‘lift and shift/we’ve always done it this way’ mentality some professionals are challenging, is the ‘retrofit’ mindset. This is where security must be engineered into business strategy.
Security is enhanced and solutions more coherent when the CISO is plugged into the highest level of business strategy, from the onset. Some of the work here will be about analysing proposed strategies against the current security gaps, then developing bespoke solutions concurrently to support the business strategy.
When CISOs secure a seat at the strategy table, they need to be prepared to be more ‘business-orientated’ and take security ‘out of the corner.’ For some, that means giving more thought to how they’re going to reposition security as enabler, not a blocker.
Security, not compliance, first
Leading with security makes you more compliant. Leading with compliance does not make you more secure.
We’d argue that businesses wed to ‘compliance-first’ postures could be more vulnerable to attack. Conversely, shooting for a gold standard in data security as your top priority will have the natural consequence of generating compliance as a by-product.
Secure the supply chain
Working with multiple cloud vendors and related third parties can complicate the picture on governance. It’s important to understand the shared responsibilities around keeping your data safe, as it flows across various services.
A gap analysis is valuable, as is an appreciation that securing the supply chain is about far more than switching on the native security features of cloud platforms. While these are often compelling, businesses need oversight of where those shared responsibilities begin and end along the supply chain.
Create a ‘single pane of glass’ on security
This ‘single pane of glass’ was discussed by our dinner guests, many of whom saw the value of working in partnership with specialist security professionals. This can mitigate security fears whilst enabling higher standards of compliance and greater innovation. It may also provide a clearer view of the supply chain.
Learn from others
Look at your competitors’ cloud enablements – see what you can find on what went well and not so well. These lessons are likely to include avoiding vendor lock-in - this is simply no longer necessary in the multi cloud world. There may be those who go along with 3-5-year contracts because, ‘We’ve always done it that way,’ or prefer a single platform solution to avoid complexity. However, this complexity can be mitigated using a specialist hosting partner. In addition, multi cloud can prove to be more secure, providing data is spread across multiple environments.
To read more from techUK's Cloud Week, visit our landing page